A dream world for the CISO
Organizations have a wide variety of resources to protect, and some are easier to protect than others. However, it’s not the easy issues that keep a CISO up at night. Before we dive into the more challenging examples, let’s consider a scenario that will keep a CISO awake at night.
In this scenario, when a worker “gets to work” (either in the office or remotely), they open their corporate laptop and log into a SaaS application. This worker types the URL into their browser, logs in with their SSO provider, and authenticates using their fingerprint (biometric) on the device. Behind the scenes, this user connects to the application via a Zero Trust Network Access (ZTNA) solution and authenticates with SAML Protocol (or OIDC or OAuth2.0), the modern authentication method for cloud applications.
This scenario is the dream (and easiest) scenario to protect:
- Modern cloud application
- Policy-based application access
- Phishing-resistant authentication
- Managed and trusted device
The reality check
However, the ideal scenario is also the one that is least likely to result in a breach. Instead, attackers are exploiting legacy technology or networks where it is difficult to implement additional security and enforce policies, such as phishing-resistant multi-factor authentication (MFA) or ZTNA. As organizations are on their journey to modernize infrastructure, we need to have a realistic plan to protect the long tails of legacy assets that are still in operation and can be difficult to protect.
What can be done?
Layered Protection with RADIUS
One of these underrated, but common, authentication protocols is RADIO (Remote Authentication Dial-In User Service) RADIUS is a traditional network-based authentication protocol for users and devices that need to connect to the network.
If your organization is in a position where routers, switches, wireless access points, and VPNs use RADIUS, Cisco can help. First, Cisco Identity Services Engine (ISE) provides a layer of network access control by offering AAA (authentication, authorization, and access) protection. This protection exists for users connecting to the network in the office and workers connecting to the network through the VPN.
The challenges and security implications around legacy VPN access are well documented, which is why organizations are moving toward a modern architecture with ZTNA. The problem is that many legacy applications are not compatible with ZTNA and organizations are struggling to find a solution that meets their needs. I have to hold on to their VPN infrastructure. It’s no surprise that while 86% of organizations They have started to adopt zero trust, but 98% of them are not mature enough. They are basically stuck on this path.
That’s where Cisco comes in. Secure Access comes into action. Secure Access has integrated both VPNaaS and ZTNA capabilities. This enables organizations to modernize VPN infrastructure and connect through Cisco’s cloud solution, falling back to VPNaaS if ZTNA is not possible. In practice, all users have the same experience when connecting to applications (legacy or modern, VPN-requiring or ZTNA-capable) and the technology takes care of the work behind the scenes.
When it comes to VPNaaS use cases, organizations with ISE deployment can take advantage of the unique integration between Secure Access and Cisco ISE to provide an additional layer of protection. This means that when users connect to VPNaaS, they are protected by ISE authentication, posture assessment, and network segmentation, all through a single agent. Secure client.
We start with VPNaaS and Cisco ISE working together and then add an additional layer of defense with another form of authentication (that’s where the term “multi” in MFA comes into play). Cisco Duo can offer RADIO legacy VPN support through the Duo authentication proxy by adding servers to an organization’s environment. But when you use Duo with ISE and VPNaaS, there is a API Integration which allows for RADIUS authentication without the need for an additional server in your environment. And all the end user sees is the typical Duo Push they are used to when accessing cloud applications.
Now, even when authenticating with RADIUS, users have a seamless experience and organizations have layered protection to close potential gaps in the attack surface.
Protect your organizations with User Protection Suite
In an ideal world, an organization would be able to protect all of its resources using the most advanced and modern technology and protocols. However, organizations have a wide range of assets that need protection, regardless of how easy or difficult it is to protect them. By combining network protection through Cisco ISE with User protection suite With tools like this, Cisco can provide you with the solutions you need today while continuing to modernize for the future and allow CISOs to rest easy.
To learn more about how the Cisco User Protection Suite can protect your workforce, Connect with an expert today.
Share:
